Regulation of Transborder Data Flows under ... - Tilburg University

More documents

Recommendations

Info

Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 10 transfers in that they no longer constitute point-to-point transmissions, but ‘occur today as part of a networked series of processes made to deliver a business result’. 5 These developments represent a fundamental change in the business and technological environment for data processing. At the time the OECD Guidelines were approved, transborder data flows were typically understood to refer to point-to-point transfers such as the ‘exchange of internal company administrative information, response to requests for service by customers, and maintenance of records concerning or describing customers or subjects’. 6 By contrast, many transborder data flows today involve multiple computers communicating through a network in a distributed fashion (in particular via phenomena such as ‘Web 2.0’, online social networking, search engines, and cloud computing). The following are some of the main developments that have changed the data processing landscape since the Guidelines were adopted: --The increased globalisation of the world economy. As described by the World Bank, ‘over the last few decades, the pace of this global integration has become much faster and dramatic because of unprecedented advancements in technology, communications, science, transport and industry’. 7 This has included the wholesale reduction of capital controls (such as exchange controls, and controls on the international sale or purchase of various financial assets), 8 and the liberalization of international trade through the succession of General Agreement on Tariffs and Trade (GATT) trade rounds and the foundation of the World Trade Organization (WTO). --The growing economic importance of data processing. The processing of personal data has assumed a growing economic importance in the past few years. The industry for data analytics alone has been estimated to be worth over US$ 100 billion, and to be growing at almost 10% annually. 9 --The ubiquity of data transfers over the Internet. In the past, transborder data flows often occurred when there was the explicit intent to transfer data internationally (e.g., when a computer file was sent to a specific location in another country). Nowadays, the architecture of the Internet means that even a transfer to a party in the same country may result in the message or file transiting via other countries, without the sender ever being aware of this. For example, the Spanish Data Protection Authority has stated that up to 2007 it had received notification from data controllers of 8,483 international data transfers. 10 However, all the telephone calls, e-mails, faxes, Internet browsing activities, etc. carried out between data controllers in Spain (such as companies, public sector entities, etc.) and countries outside the EU in a year, many of which may be considered 5 See Paul M. Schwartz, ‘Managing Global Data Privacy: Cross-Border Information Flows in a Networked Environment’ (2009), , at 4. 6 J.M. Carroll, ‘The Problem of Transnational Data Flows’, in: Policy Issues in Data Protection and Privacy, Proceedings of the OECD Seminar 24 th to 26 th June 1974, at 201. 7 See . 8 See International Monetary Fund, ‘Capital Controls: Country Experiences with their Use and Liberalization’ (May 17, 2000), . 9 ‘Data, data everywhere’ (n 4), at 4. 10 Spanish Data Protection Agency, ‘Report on International Data Transfers’ (July 2007), , at 5.
Kuner/Regulation of Transborder Data Flows under Data Protection and Privacy Law 11 ‘international data transfers’ in the sense of data protection law and may therefore be subject to a duty of notification, must be vastly greater than the number that was officially notified. --Greater direct involvement of individuals in transborder data flows. The development of new technologies and business models for processing personal data has led to a greater direct involvement of individuals in the way that their data are transferred across national borders. In particular, phenomena such as electronic commerce and online social networks have made it possible for individuals to initiate and even control the transborder transfer of their personal data to a much greater extent than in the past. For example, online hotel reservation systems were already being used in the 1970s when the OECD Guidelines were drafted, but access was restricted to the companies participating in them, whereas nowadays individuals can make reservations via the Internet and thus input their personal data directly. --The changing role of geography. While geography and territoriality are still the key factors for the application of data protection and privacy law, they have become less important from the business and technological points of view. Many companies structure their operations based on lines of business rather than geography, and technology allows the transfer of personal data without regard to national boundaries. --Growing risks to the privacy of individuals. The above developments have all brought great economic and social benefits to individuals, but have also increased the risks of misuse of personal data and of violations of the law. For example, there has been explosive growth in the scale and sophistication of criminal attacks against users’ personal data conducted via the Internet. 11 Despite these fundamental changes in the data processing landscape, and the growth in the regulation of transborder data flows in numerous countries, there has been little attempt to conduct a systematic inventory of such regulation; to examine the policies underlying it; and to consider whether those policies need to be re-evaluated. This study is designed to describe the present status of transborder data flow regulation, and to provoke reflection about its aims, operation, and effectiveness, now and in the future. It was prepared in the context of the 30 th anniversary of the OECD Guidelines, but is not specifically designed to evaluate them. The study first examines the background and history of transborder data flow regulation; analyzes certain issues of particular importance; and finally reaches some conclusions about how such regulation can be made more coherent and effective. The Annex contains translations of data protection and privacy law instruments from around the world that regulate transborder data flows. Before beginning, it is important to define the scope of the study: --It only considers legal issues relevant to the regulation of transborder data flows. While other issues (such as economic and social ones) may be equally important, they require separate analysis. 11 See, e.g., Symantec Corp., ‘Internet Security Threat Report, Volume XV’ (April 2010), .
Page 1 and 2: TILT (TILBURG INSTITUTE FOR LAW, TE
Page 3 and 4: Kuner/Regulation of Transborder Dat
Page 9: Kuner/Regulation of Transborder Dat
Page 61 and 62:
Kuner/Regulation of Transborder Dat
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
show all

Regulation of Transborder Data Flows under ... - Tilburg University

Create successful ePaper yourself

Delete template?

Save as template?